L12: Write-Log Cmdlet Enables Log Forgery Indistinguishable from System Events
Severity: LOW
Category: Log Integrity
File: src/Spe/Commands/Diagnostics/WriteLogCommand.cs
Lines: 60–82
Risk Explanation
The Write-Log cmdlet passes user-provided content directly to PowerShellLog methods without sanitization or source tagging. When JSON format logging is enabled, a script author can craft log entries that are structurally indistinguishable from system-generated events:
Write-Log "[Security] action=loginSuccess user=admin ip=10.0.0.1 status=authenticated"
This produces a JSON log entry that a SIEM/Splunk parser interprets as a genuine successful admin login.
Practical impact: Low. The attacker must have script execution privileges. However, in multi-author environments, a lower-privileged script author could forge audit entries to cover malicious activity.
Implementation Plan
Add a source field to differentiate script-authored log entries:
protected override void ProcessRecord()
{
var taggedMessage = $"[Script] source=user-script {LogString}";
switch (LogLevel)
{
case "info": PowerShellLog.Info(taggedMessage); break;
// ... other levels
}
}The [Script] prefix and source=user-script key ensure SIEM parsers can filter or flag script-authored entries.
Files to modify
| File |
Change |
src/Spe/Commands/Diagnostics/WriteLogCommand.cs |
Add source=user-script tag to all log output |
Test Plan
- Unit test — Write-Log output includes source tag: Call
Write-Log "test" → log contains source=user-script.
- Unit test — system events do NOT contain source tag.
- SIEM filter test: Configure query that excludes
source=user-script — verify system events pass, script events filtered.
L12: Write-Log Cmdlet Enables Log Forgery Indistinguishable from System Events
Severity: LOW
Category: Log Integrity
File:
src/Spe/Commands/Diagnostics/WriteLogCommand.csLines: 60–82
Risk Explanation
The
Write-Logcmdlet passes user-provided content directly toPowerShellLogmethods without sanitization or source tagging. When JSON format logging is enabled, a script author can craft log entries that are structurally indistinguishable from system-generated events:This produces a JSON log entry that a SIEM/Splunk parser interprets as a genuine successful admin login.
Practical impact: Low. The attacker must have script execution privileges. However, in multi-author environments, a lower-privileged script author could forge audit entries to cover malicious activity.
Implementation Plan
Add a
sourcefield to differentiate script-authored log entries:The
[Script]prefix andsource=user-scriptkey ensure SIEM parsers can filter or flag script-authored entries.Files to modify
src/Spe/Commands/Diagnostics/WriteLogCommand.cssource=user-scripttag to all log outputTest Plan
Write-Log "test"→ log containssource=user-script.source=user-script— verify system events pass, script events filtered.